Soundarapandian Rathinasamy
2012-Sep-26 07:43 UTC
How to avoid tempfile generation for uploaded file ?
Hi folks, I am building secure web application using Ruby on Rails which scans virus in uploaded file. Now Currently I can access the tempfile from the ActionDispatch::Http::UploadedFile instance which Rails creates for uploaded file and complete scan successfully. But I want to avoid Rails creating the tempfile as I fear once the virus affected file stored in tempfile this may infect the system. What my question is: * Is there any way to tell Rails that ''Generate the IO stream instance(string) instead of Tempfile'' ?* If Rails gives file as IO stream I can use this stream to scan for Virus. If something asked fundamentally wrong give me your suggestion. Thanks Soundar -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/G6r86r3qVa0J. For more options, visit https://groups.google.com/groups/opt_out.
On Wednesday, 26 September 2012 03:43:15 UTC-4, Soundarapandian Rathinasamy wrote:> > Hi folks, > I am building secure web application using Ruby on Rails which scans > virus in uploaded file. > Now Currently I can access the tempfile from the > ActionDispatch::Http::UploadedFile instance which Rails creates for > uploaded file and complete scan successfully. > But I want to avoid Rails creating the tempfile as I fear once the virus > affected file stored in tempfile this may infect the system. > > What my question is: > > * Is there any way to tell Rails that ''Generate the IO stream > instance(string) instead of Tempfile'' ?* > > If Rails gives file as IO stream I can use this stream to scan for Virus. >I don''t think this is a sensible tradeoff - there are plenty of better ways to make sure that temporary files aren''t executable. For instance, putting the directory on they''re in on a partition mounted with noexec (or just NOT EXECUTING them). On the other hand, streaming them into memory makes it trivial to completely DDOS your server, by simply sending a file larger than the available RAM. --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/n_uUkbUZbWEJ. For more options, visit https://groups.google.com/groups/opt_out.